Support Home > Security > Protect your site with brute force protection

Protect your site with brute force protection

Protect yourself against unwanted login attempts with brute force protection. (Formerly known as Jetpack Protect.)


To protect your website immediately, Brute force protection is activated by default when you connect Jetpack to your account. You can deactivate and reactivate either from:

  • WP Admin: Jetpack → Settings → Security.
  • WP AdminJetpack → Protect in the Firewall tab – this option requires the Jetpack Protect plugin to be active.
  • Dashboard: Settings Security.

If this feature has locked your site’s login page and you cannot access your WP Admin, you can temporarily deactivate the brute force protection via your Dashboard under Settings > Security.


With brute force protection activated, you can allowlist IP addresses. Allowlisting may be necessary if you’ve made too many failed login attempts to your site or Jetpack has detected unusual behavior from your current IP address.

  1. Start by navigating to:
  • WP Admin: Jetpack → Settings → Security or Jetpack → Protect → Firewall (if you have the Jetpack Protect plugin active).


  1. Enter the IP list you wish to add into the Always allowed IP addresses / Trusted IP addresses field.
  2. Separate multiple IP addresses with a comma.
  3. To specify a range, enter the low value and high value separated by a dash. Example:

Your current IP address is also shown on the page, so you can easily add it to your allowlist.

Both IPv4 and IPv6 addresses are accepted.

If you lost access to your WP Admin, you will need to access the settings via your Dashboard at Settings Security.

You can also allowlist one IP address by setting it as the JETPACK_IP_ADDRESS_OK constant in your wp-config.php file like this: define('JETPACK_IP_ADDRESS_OK', 'X.X.X.X');


You can check the count of the “total malicious attacks blocked on your site” in your Jetpack → Dashboard under the Security section in the Brute force protection block.

How brute force protection works

The length of time a block lasts is based on a number of factors and is not a set amount of time.

Math captcha on your login page

The math captcha is used as a fallback for the brute force protection feature. If your IP has been blocked due to too many failed login attempts, you may still access your site by correctly filling out the math captcha along with the correct login credentials. In very rare cases, you might see the captcha if you’ve not obtained an API key, or during times of very heavy attacks.

Brute force protection on Multisite

In a WordPress Multisite installation, you can log into any account that exists on the network through any login page on the network. As a result, if you have Jetpack’s Brute force protection active on some sites but not all, then no site is truly being protected.

To address this, please network enable Jetpack on your multisite installation and activate the brute force protection feature on the network’s primary site.  Once completed, Jetpack’s brute force protection feature will be activated on every site on your network, even if Jetpack isn’t connected on those sites.

Multiple blocked malicious login attempts

You may worry if you see a high number of blocked suspicious login attempts. But rest assured this means the feature is working as expected!

There are thousands of “bots” out there trying to gain access to sites all over the internet. No matter what size your site is, there’s always someone or something trying to “break in”. WordPress is very secure and usually the weakest point is someone’s password. Bots consequently try to guess people’s passwords to get in.

Jetpack’s brute force protection feature collects information from failed attempts from millions of sites and protects you from these attacks. For example, if a bot tried to gain access to site A, and then went to site B, Jetpack’s brute force protection would already know who this bot is and before it even tries to get into site B, it would be blocked.

Along with that, it’s also really important to have strong secure passwords.

Information about the blocked attacks

For example, you might be wondering:

  • Which usernames need more securing?
  • Is this via wp-login, or via XMLRPC?
  • From which IP addresses do these arrive?
  • When did these occur? Is there a pattern?
  • If these were found, how many more are there that were not detected?

We don’t have access to this information. Jetpack’s brute force protection was built to be lean and simple. It’s built in such a way that you don’t have to think about these questions or make any decisions. As such, the only data we store is the total number of attacks blocked.

Troubleshoot Jetpack brute force protection

Please read our brute force protection troubleshooting article for tips.

Still need help?

Please contact support. We’re happy to advise.

Privacy Information

Jetpack brute force protection is activated by default. It can be deactivated at any time by toggling the Brute force protection setting under Jetpack → Settings → Security on your WP Admin dashboard.

For general features and FAQs, please see our Jetpack Security features.

More information about the data usage on your site
Data Used
Site Owners / Users

In order to check login activity and potentially block fraudulent attempts, the following information is used: attempting user’s IP address, attempting user’s email address/username (i.e. according to the value they were attempting to use during the login process), and all IP-related HTTP headers attached to the attempting user.

Additionally, for activity tracking (detailed below): IP address, user ID, username, site ID and URL, Jetpack version, user agent, visiting URL, referring URL, timestamp of event, browser language, country code.

Site Visitors

In order to check login activity and potentially block fraudulent attempts, the following information is used: attempting user’s IP address, attempting user’s email address/username (i.e. according to the value they were attempting to use during the login process), and all IP-related HTTP headers attached to the attempting user.

Activity Tracked
Site Owners / Users

Failed login attempts.

We track when, and by which user, the feature is activated and deactivated. We also set a cookie (jpp_math_pass) for 1 day to remember if/when a user has successfully completed a math captcha to prove that they’re a real human. Learn more about this cookie.

Site Visitors

Failed login attempts.

We set a cookie (jpp_math_pass) for 1 day to remember if/when a user has successfully completed a math captcha to prove that they’re a real human. Learn more about this cookie.

Data Synced (Read More)
Site Owners / Users

Options that identify whether or not the feature is activated and how its available settings are configured. We also sync the site’s allowlisted entries (as configured by the site owners), the Protect-specific API key used for login checking, and any failed login attempts, which contain the user’s IP address, attempted username or email address, and user agent information.

Site Visitors

Failed login attempts, which contain the user’s IP address, attempted username or email address, and user agent information.

  • Table Of Contents

  • Contact Us

    Need more help? Feel free to contact us.